Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Recovering from Comame Trojan, but Chrome still filthy

  • This topic is locked This topic is locked
4 replies to this topic

#1 Overwined


  • Members
  • 3 posts
  • Local time:04:59 AM

Posted 03 January 2014 - 01:35 PM

And I'm worried that I might not have gotten everything.


I originally became aware of my vulnerability when Chrome (my used-to-be browser of choice) spontaneously crashed and reopened. I wouldn't have gone digging any further had not the SALR (Something Awful Last Read) Redux extension been removed and uninstalled. When I went in to the extensions panel of Chrome, there were two entries that alarmed me. They were named "EnjoyaCoupone" and "FfindBestDeaL" verbatim. On removing and deleting these, they would simply reappear when Chrome was restarted. These are, I believe, part of "Safe Saver" malware since Google ads are getting hijacked by a Safe Saver box. This is only in Chrome.


I did a full scan with Malwarebytes and it got a number (I think 23 is the exact number) of suspicious entries which I deleted and restarted my system. "EnjoyaCoupone" was gone, but "FfindBestDeaL" remained. At first I though I was the victim of a simple malware attack, but in reality it became obvious that it was much worse. I switched to Firefox and found the two extensions also existed there, but once removed and deleted, they did no come back. However, Firefox was giving me false browser updates that pointed to "browse-update.net/firefox" which I DID NOT click through to. Upon seeing this I was put into high alert and have done nothing on my computer but try to combat this thing (or more likely these things). Here's what I've done to date:


-A FULL virus scan with Avast (clean)

-Removed all registry entries pointing to the two extensions named above. I know this is probably a mistake now, but it's done and it hasn't broken anything. These entries pointed to a folder in \Program Data that contained a handful of suspicious .exes and .dlls that I suspect were procedurally named so nothing came up on Google. I also deleted this folder.

-There was also another mysterious folder in \Program Data\ called "Win sys filter" that contained several suspicious .dlls. Google came up with nothing, so I deleted the folder and any registry entries that pointed to the folder or the files contained within.

-MULTIPLE full scans with Mallwarebytes in safe mode (clean after the first scan mentioned above)

-MULTIPLE scans with ADW Cleaner (hits on both FF with \Profiles\5e64y57u.default\prefs.js and on Chrome with \User Data\Default\preference. These entries recur and ADW Cleaner cannot seem to clean them)

-MULTIPLE scans with ComboFix in safe mode (turned up 3 or 4 entries the first time, but comes up totally clean since)

-MULTIPLE scans with Malwarebytes Anti-Rootkit in safe mode (always clean)

-MULTIPLE scans with TDSSKiller in safe mode (always clean)

-A FULL Microsoft Windows Defender Offline scan booted from a CD-ROM (This took almost 5 hours, but came up with two entries. The first is Bisar!rts which it thought was of moderate threat. This was attached to some files that are part of Dwarf Fortress' Lazy Newb Pack. I thought this could be a false positive, but because I don't really use that, I let WDO delete those entries. The second was Comame, which WDO thought of severe threat, so I of course had it removed as well. I believe this to be the primary vector for my problems, but I am not convinced that I have cleaned out all the garbage it has strewn into my computer.

-I have run RKill EVERY time before these scans excepting a full virus scan. Interestingly RKill comes up with nothing to stop EXCEPT recently after discovering and removing Comame and Bisar!rts. It comes up with many suspicious HOSTS entries, so I have...

-Reset the HOSTS file to default using Microsoft's tool to do so.


As of this moment right now, "FfinfBestDeaL" extension STILL cannot be removed. However upon resetting my HOSTS file to default the Safe Save hijack has stopped (though I doubt it's removed). ADW Cleaner STILL detects the Firefox and Chrome preference issues listed above but still cannot clean them out.


I suspect that there is enough of this left that I should do my best to clean it all out now while it's on the ropes. Or at least I'd like to believe it's on the ropes. Thank you for whatever help you can provide.


EDIT: For the record I DO NOT use ANY filesharing software. I DO NOT click attachments from anyone outside of work (.pdfs almsot exclusively which could be a vector) and I HAVE NOT installed an executable that didn't come from Steam or some other unimpeachable source. The only exception to this in the last 3 or 4 montsh has been a program called Procurement but that is hosted on Google Code, so I thought it safe. I could, of course, be terribly wrong about that.


Anyway, DDS Logs:


DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16428  BrowserJavaVersion: 10.45.2
Run by Overwined at 12:57:06 on 2014-01-03
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4014.2201 [GMT -5:00]
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
============== Running Processes ===============
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\LSI SoftModem\agr64svc.exe
C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe
C:\Program Files (x86)\Dokan\DokanLibrary\mounter.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe
C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe
C:\Program Files (x86)\Hosts_Anti_Adwares_PUPs\HOSTS_Anti-Adware_main.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
C:\Program Files (x86)\System Control Manager\MSIService.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Motorola\Bluetooth\obexsrv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Motorola\Bluetooth\audiosrv.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
============== Pseudo HJT Report ===============
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
TB: avast! Online Security: {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
uRun: [HydraVisionDesktopManager] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe"
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [MGSysCtrl] C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe
mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AvastUI.exe] "C:\Program Files\Alwil Software\Avast5\AvastUI.exe" /nogui
mRun: [HOSTS Anti-Adware_PUPs] C:\Program Files (x86)\Hosts_Anti_Adwares_PUPs\HOSTS_Anti-Adware_main.exe
StartupFolder: C:\Users\OVERWI~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Overwined\AppData\Roaming\Dropbox\bin\Dropbox.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {23A2712A-7A4F-4D0C-822C-D7BA9974447B} - hxxps://registration.rr.com/RegHelper.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.4.21.0.cab
TCP: NameServer =
TCP: Interfaces\{30644E1C-5425-4EDE-9D86-9F3DBB29BD5C} : DHCPNameServer =
TCP: Interfaces\{30644E1C-5425-4EDE-9D86-9F3DBB29BD5C}\16474777966696 : DHCPNameServer =
TCP: Interfaces\{30644E1C-5425-4EDE-9D86-9F3DBB29BD5C}\2456C6B696E6F5E4B2F5245303235303 : DHCPNameServer =
TCP: Interfaces\{30644E1C-5425-4EDE-9D86-9F3DBB29BD5C}\2554745535E4544575946494 : DHCPNameServer =
TCP: Interfaces\{C7E6DA96-BB8C-4E31-BDC5-0D0CC22B7D69} : DHCPNameServer =
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll
x64-BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll
x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll
x64-TB: avast! Online Security: {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [BTMTrayAgent] rundll32.exe "C:\Program Files\Motorola\Bluetooth\btmshell.dll",TrayApp
x64-Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
x64-Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
x64-Run: [Logitech Download Assistant] C:\windows\System32\rundll32.exe C:\windows\System32\LogiLDA.dll,LogiFetch
x64-Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
x64-DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
x64-Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
x64-SSODL: WebCheck - <orphaned>
================= FIREFOX ===================
FF - ProfilePath - C:\Users\Overwined\AppData\Roaming\Mozilla\Firefox\Profiles\5e64y57u.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\McAfee Security Scan\3.0.318\npMcAfeeMSS.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll
FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypchub.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Overwined\AppData\Local\Google\Update\\npGoogleUpdate3.dll
FF - plugin: C:\Users\Overwined\AppData\Local\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin10181.dll
FF - plugin: C:\Users\Overwined\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_170.dll
FF - plugin: D:\Games\TMC\npdd.dll
============= SERVICES / DRIVERS ===============
R0 aswRvrt;avast! Revert;C:\windows\System32\drivers\aswRvrt.sys [2013-3-11 65776]
R0 aswVmm;avast! VM Monitor;C:\windows\System32\drivers\aswVmm.sys [2013-3-11 207904]
R0 johci;JMicron 1394 Filter Driver;C:\windows\System32\drivers\johci.sys [2010-6-29 20392]
R1 aswSnx;aswSnx;C:\windows\System32\drivers\aswSnx.sys [2011-9-26 1034464]
R1 aswSP;aswSP;C:\windows\System32\drivers\aswSP.sys [2010-10-22 422216]
R1 ctxusbm;Citrix USB Monitor Driver;C:\windows\System32\drivers\ctxusbm.sys [2009-10-5 87600]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\System32\atiesrxx.exe [2013-3-28 241152]
R2 aswMonFlt;aswMonFlt;C:\windows\System32\drivers\aswMonFlt.sys [2010-10-22 78648]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2014-1-1 50344]
R2 Bluetooth OBEX Service;Bluetooth OBEX Service;C:\Program Files\Motorola\Bluetooth\obexsrv.exe [2010-6-29 637192]
R2 cpuz135;cpuz135;C:\windows\System32\drivers\cpuz135_x64.sys [2011-5-24 21992]
R2 Dokan;Dokan;C:\windows\System32\drivers\dokan.sys [2011-1-10 120408]
R2 DokanMounter;DokanMounter;C:\Program Files (x86)\Dokan\DokanLibrary\mounter.exe [2011-1-10 14848]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-6-29 13336]
R2 Micro Star SCM;Micro Star SCM;C:\Program Files (x86)\System Control Manager\MSIService.exe [2010-6-29 160768]
R3 aswStm;aswStm;C:\windows\System32\drivers\aswstm.sys [2014-1-1 79672]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\windows\System32\drivers\AtihdW76.sys [2013-2-14 96768]
R3 Bluetooth Device Manager;Bluetooth Device Manager;C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe [2010-6-29 4154120]
R3 Bluetooth Media Service;Bluetooth Media Service;C:\Program Files\Motorola\Bluetooth\audiosrv.exe [2010-6-29 1029896]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-6-29 1028096]
R3 JMCR;JMCR;C:\windows\System32\drivers\jmcr.sys [2010-6-29 140128]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;C:\windows\System32\drivers\LEqdUsb.sys [2010-3-18 74320]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;C:\windows\System32\drivers\LHidEqd.sys [2010-3-18 13392]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\windows\System32\drivers\NETw5s64.sys [2010-1-6 6952960]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 HOSTS Anti-PUPs;HOSTS Anti-PUPs;C:\Program Files (x86)\Hosts_Anti_Adwares_PUPs\HOSTS_Anti-Adware.exe -update --> C:\Program Files (x86)\Hosts_Anti_Adwares_PUPs\HOSTS_Anti-Adware.exe -update [?]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-28 161384]
S3 Amazon Download Agent;Amazon Download Agent;C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2010-11-19 401920]
S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;C:\windows\System32\drivers\ArcSoftKsUFilter.sys [2010-6-29 19968]
S3 BTMCOM;Bluetooth Serial Port;C:\windows\System32\drivers\btmcom.sys [2010-6-29 51200]
S3 BTMHID;BTMHID;C:\windows\System32\drivers\btmhid.sys [2010-6-29 34048]
S3 BTMUSB;Motorola Bluetooth Radio Service;C:\windows\System32\drivers\btmusb.sys [2010-6-29 461312]
S3 enecir;ENE CIR Receiver;C:\windows\System32\drivers\enecir.sys [2010-6-29 70656]
S3 enecirhid;ENE CIR HID Receiver;C:\windows\System32\drivers\enecirhid.sys [2010-6-29 14848]
S3 enecirhidma;ENE CIR HIDmini Filter;C:\windows\System32\drivers\enecirhidma.sys [2010-6-29 6656]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\windows\System32\ieetwcollector.exe [2013-12-11 111616]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [2013-2-5 235216]
S3 MSI_DVD_010507;MSI_DVD_010507;C:\PROGRA~1\MSI\MSIWDev\DVDSYS64_100507.sys [2010-5-10 28984]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;C:\PROGRA~1\MSI\MSIWDev\msibios64_100507.sys [2010-5-10 33592]
S3 MSI_VGASYS_010507;MSI_VGASYS_010507;C:\PROGRA~1\MSI\MSIWDev\VGASYS64_100507.sys [2010-5-10 14960]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\windows\System32\drivers\netr28x.sys [2010-6-29 855328]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2011-6-8 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2010-10-22 1255736]
=============== Created Last 30 ================
2014-01-03 17:05:24    75888    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{361AB022-13E6-47A9-9EA6-F67128DC64A0}\offreg.dll
2014-01-03 16:58:15    --------    d-----w-    C:\Program Files (x86)\Hosts_Anti_Adwares_PUPs
2014-01-03 16:03:20    388096    ----a-r-    C:\Users\Overwined\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2014-01-03 16:03:20    --------    d-----w-    C:\Program Files (x86)\Trend Micro
2014-01-03 15:31:16    117464    ----a-w-    C:\windows\System32\drivers\MBAMSwissArmy.sys
2014-01-03 15:13:10    --------    d-sh--w-    C:\$RECYCLE.BIN
2014-01-02 06:54:39    98816    ----a-w-    C:\windows\sed.exe
2014-01-02 06:54:39    256000    ----a-w-    C:\windows\PEV.exe
2014-01-02 06:54:39    208896    ----a-w-    C:\windows\MBR.exe
2014-01-02 03:54:31    --------    d-----w-    C:\windows\Microsoft Antimalware
2014-01-02 00:09:24    --------    d-----w-    C:\Users\Overwined\AppData\Roaming\AVAST Software
2014-01-01 23:25:54    79672    ----a-w-    C:\windows\System32\drivers\aswstm.sys
2014-01-01 23:22:17    --------    d-----w-    C:\ProgramData\AVAST Software
2014-01-01 23:01:54    --------    d-----w-    C:\ProgramData\HitmanPro
2013-12-31 17:25:12    --------    d-----w-    C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-12-31 17:24:21    89304    ----a-w-    C:\windows\System32\drivers\mbamchameleon.sys
2013-12-31 14:52:00    --------    d-----w-    C:\windows\ERUNT
2013-12-31 14:26:51    --------    d-----w-    C:\AdwCleaner
2013-12-31 10:39:15    10315576    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{361AB022-13E6-47A9-9EA6-F67128DC64A0}\mpengine.dll
2013-12-31 06:18:59    54640    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\Plugins\resource\es\icalogUI.dll
2013-12-31 05:22:12    --------    d-----w-    C:\Users\Overwined\AppData\Roaming\QuickScan
2013-12-31 01:00:49    --------    d-----w-    C:\ProgramData\afphpcbhdofcdpbikkkoemocnjcgekfb
2013-12-28 20:10:18    --------    d-----w-    C:\Users\Overwined\AppData\Local\NBGI
2013-12-25 16:31:57    --------    d-----w-    C:\Users\Overwined\AppData\Roaming\Tropico 4
2013-12-25 16:30:08    --------    d-----w-    C:\Users\Overwined\AppData\Roaming\Kalypso Media
2013-12-21 15:21:41    --------    d-----w-    C:\Users\Overwined\AppData\Local\WarThunder
2013-12-21 15:21:41    --------    d-----w-    C:\ProgramData\WarThunder
2013-12-11 06:25:43    167424    ----a-w-    C:\Program Files\Windows Media Player\wmplayer.exe
2013-12-11 06:25:43    164864    ----a-w-    C:\Program Files (x86)\Windows Media Player\wmplayer.exe
2013-12-11 06:25:41    12625920    ----a-w-    C:\windows\System32\wmploc.DLL
2013-12-11 06:25:41    12625408    ----a-w-    C:\windows\SysWow64\wmploc.DLL
2013-12-11 06:23:59    48640    ----a-w-    C:\windows\System32\ieetwproxystub.dll
2013-12-11 00:18:51    --------    d-----w-    C:\ProgramData\SystemRequirementsLab
2013-12-10 19:38:19    335360    ----a-w-    C:\windows\System32\msieftp.dll
2013-12-10 19:38:19    301568    ----a-w-    C:\windows\SysWow64\msieftp.dll
2013-12-10 19:38:17    3155968    ----a-w-    C:\windows\System32\win32k.sys
2013-12-10 19:38:16    465920    ----a-w-    C:\windows\System32\WMPhoto.dll
2013-12-10 19:38:16    417792    ----a-w-    C:\windows\SysWow64\WMPhoto.dll
2013-12-10 19:38:15    81408    ----a-w-    C:\windows\System32\imagehlp.dll
2013-12-10 19:38:15    159232    ----a-w-    C:\windows\SysWow64\imagehlp.dll
2013-12-10 19:38:10    2048    ----a-w-    C:\windows\SysWow64\tzres.dll
2013-12-10 19:38:10    2048    ----a-w-    C:\windows\System32\tzres.dll
2013-12-10 19:37:59    230400    ----a-w-    C:\windows\System32\drivers\portcls.sys
2013-12-10 19:37:59    150016    ----a-w-    C:\windows\System32\wshom.ocx
2013-12-10 19:37:59    121856    ----a-w-    C:\windows\SysWow64\wshom.ocx
2013-12-10 19:37:59    116736    ----a-w-    C:\windows\System32\drivers\drmk.sys
2013-12-10 19:37:58    202752    ----a-w-    C:\windows\System32\scrrun.dll
2013-12-10 19:37:58    168960    ----a-w-    C:\windows\System32\wscript.exe
2013-12-10 19:37:58    156160    ----a-w-    C:\windows\System32\cscript.exe
2013-12-10 19:37:58    141824    ----a-w-    C:\windows\SysWow64\wscript.exe
2013-12-10 19:37:57    163840    ----a-w-    C:\windows\SysWow64\scrrun.dll
2013-12-10 19:37:57    126976    ----a-w-    C:\windows\SysWow64\cscript.exe
==================== Find3M  ====================
2014-01-01 23:25:52    92544    ----a-w-    C:\windows\System32\drivers\aswRdr2.sys
2014-01-01 23:25:52    78648    ----a-w-    C:\windows\System32\drivers\aswMonFlt.sys
2014-01-01 23:25:52    65776    ----a-w-    C:\windows\System32\drivers\aswRvrt.sys
2014-01-01 23:25:52    43152    ----a-w-    C:\windows\avastSS.scr
2014-01-01 23:25:52    207904    ----a-w-    C:\windows\System32\drivers\aswVmm.sys
2014-01-01 23:25:52    1034464    ----a-w-    C:\windows\System32\drivers\aswSnx.sys
2013-12-13 15:09:22    71048    ----a-w-    C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-12-13 15:09:22    692616    ----a-w-    C:\windows\SysWow64\FlashPlayerApp.exe
2013-11-26 10:19:07    2724864    ----a-w-    C:\windows\System32\mshtml.tlb
2013-11-26 10:18:23    4096    ----a-w-    C:\windows\System32\ieetwcollectorres.dll
2013-11-26 09:48:07    66048    ----a-w-    C:\windows\System32\iesetup.dll
2013-11-26 09:23:02    2724864    ----a-w-    C:\windows\SysWow64\mshtml.tlb
2013-11-26 09:18:39    139264    ----a-w-    C:\windows\System32\ieUnatt.exe
2013-11-26 09:18:09    111616    ----a-w-    C:\windows\System32\ieetwcollector.exe
2013-11-26 09:16:57    708608    ----a-w-    C:\windows\System32\jscript9diag.dll
2013-11-26 08:35:02    5769216    ----a-w-    C:\windows\System32\jscript9.dll
2013-11-26 08:28:16    553472    ----a-w-    C:\windows\SysWow64\jscript9diag.dll
2013-11-26 08:16:12    4243968    ----a-w-    C:\windows\SysWow64\jscript9.dll
2013-11-26 08:02:16    1995264    ----a-w-    C:\windows\System32\inetcpl.cpl
2013-11-26 07:32:06    1928192    ----a-w-    C:\windows\SysWow64\inetcpl.cpl
2013-11-26 07:07:57    2334208    ----a-w-    C:\windows\System32\wininet.dll
2013-11-26 06:33:33    1820160    ----a-w-    C:\windows\SysWow64\wininet.dll
2013-11-19 08:33:38    267936    ------w-    C:\windows\System32\MpSigStub.exe
2013-10-20 16:44:01    96168    ----a-w-    C:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-10-12 04:38:32    178800    ----a-w-    C:\windows\SysWow64\CmdLineExt_x64.dll
2013-10-12 02:30:42    830464    ----a-w-    C:\windows\System32\nshwfp.dll
2013-10-12 02:29:21    859648    ----a-w-    C:\windows\System32\IKEEXT.DLL
2013-10-12 02:29:08    324096    ----a-w-    C:\windows\System32\FWPUCLNT.DLL
2013-10-12 02:03:08    656896    ----a-w-    C:\windows\SysWow64\nshwfp.dll
2013-10-12 02:01:25    216576    ----a-w-    C:\windows\SysWow64\FWPUCLNT.DLL
2013-10-05 20:25:35    1474048    ----a-w-    C:\windows\System32\crypt32.dll
2013-10-05 19:57:25    1168384    ----a-w-    C:\windows\SysWow64\crypt32.dll
============= FINISH: 12:57:40.50 ===============

Attached Files

Edited by Overwined, 03 January 2014 - 01:44 PM.

BC AdBot (Login to Remove)


#2 Overwined

  • Topic Starter

  • Members
  • 3 posts
  • Local time:04:59 AM

Posted 03 January 2014 - 02:41 PM

Just a quick update to clarify a couple things and add information:


-Safe Saver IS NOT removed from Chrome in any way. When you disable the "FfindBestDeaL" extension it is disabled, but ONLY FOR THAT SESSION. It comes right back when you reload Chrome.

-There are other Hijacks still active within Chrome. For instance, when I tried to use the HOSTS protection that is attached to ADW Cleaner, it popped up a Chrome window with that author's website at which time Chrome was immediately hijacked and I got a spurious screen to update some vague video driver, which I did not do, of course.

-Firefox (which I am using exclusively now) has no symptoms of hijacking that I can see.

-There are no symptoms of hijack outside of Chrome in general that I can see. But of course, I can't see everything.

#3 Overwined

  • Topic Starter

  • Members
  • 3 posts
  • Local time:04:59 AM

Posted 07 January 2014 - 09:18 AM

Thanks to a forum user that had the same problem and PMed me to delete a suspicious folder in Program Data (a random string of 16-20 letters), this problem is resolved. I do believe it was an indication of a much worse infection, but it prompted me to do many scans with many software suites and I think I've gotten it now. There are no suspicious activities on my computer at this time.


If anyone thinks I'm fooling myself I'd love to hear it, otherwise you may close this thread.

#4 nasdaq


  • Malware Response Team
  • 40,476 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:59 AM

Posted 07 January 2014 - 10:02 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: Turorial
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.

How to : Disable Anti-virus and Firewall...

Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Third party programs if not up to date can be the cause of infiltration an infection.

Please restart the computer before running this security check.

Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem persists.

#5 nasdaq


  • Malware Response Team
  • 40,476 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:59 AM

Posted 13 January 2014 - 10:10 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users